Hello.
Short answer: if you do not need py-cryptography and QtWebKit, just rebuild
python from ports disabling
USE_WXNEEDED.
I run Django using virtualenv in my $HOME and it works.
Long answer:
To use mmap(2) with PROT_EXEC | PROT_WRITE you need to link binary with
-z wxneeded (See ld(1)).
It adds OPENBSD_WXNEEDED header to binary.
You can check it with
$ readelf -a /usr/local/bin/python2 | grep WX
There should be "OPENBSD_WXNEED".
With out of it, mmap(2) returns "Not supported" for such requests.
When mounted with out of wxallowed, binaries with this header can't be
executed.
You will get "Permission denied".
At some moment, people found that py-cryptography and QtWebKit
need this header, so they added USE_WXNEEDED=yes to port.
http://openbsd-archive.7691.n7.nabble.com/Patch-Python-for-non-wxallowed-usr-local-td335767.html
See /usr/ports/lang/python/Makefile.inc
See also /usr/ports/infrastructure/mk/bsd.port.mk
for how this option is used and how Makefile.inc is included.
/usr/local has wxallowed, so py-cryptography and QtWebKit works there.
But they did not care about virtualenv.
We now have python linked with wxneeded by default:
$ readelf -a /usr/local/bin/python2 | grep WX
OPENBSD_WXNEED 0x0000000000000000 0x0000000000000000 0x0000000000000000
and its execution is not allowed on FS mounted with out of wxallowed.
To fix it, simply rebuild python with this option disabled.
Better solution is to create to flavors of python (with this option and
with out), but
that has not been done.
Ilya.
No comments:
Post a Comment